Developers who used the buggy library must redo their software, update customers

As promised, Microsoft today patched six vulnerabilities in Internet Explorer (IE) and Visual Studio with the first "out-of-cycle" update since it plugged a hole last October that the Conficker worm later used to run rampant.

The two updates, MS09-034 and MS09-035, fixed three "critical" flaws in IE and three "moderate" bugs in Visual Studio. But in an unusual reversal, Microsoft hinted that the bugs tagged as moderate may actually be the most serious of the lot.

That's because the Visual Studio bugs were, as three researchers claimed earlier this week, in a code "library" dubbed Active Template Library (ATL). That library was used by Microsoft and an unknown number of third-party developers to create ActiveX controls and components of their applications.

"This is a complex issue, providing a comprehensive response to a library vulnerability," Mike Reavey, director of Microsoft's Security Response Center (MSRC), said today. "Library issues are hard to deal with, and take a lot of collaboration to resolve...."

That's because, by definition, a library is used by developers to crank out their own code. So a flaw in the library means that the resulting programming product -- an ActiveX control or a .dll necessary for an application -- also contains the flaw.

Microsoft made that clear, although the phrasing was dense. "Microsoft strongly recommends that developers who have built controls or components with ATL take immediate action to evaluate their controls for exposure to a vulnerable condition and follow the guidance provided to create controls and components that are not vulnerable," the company said in an unusual accompanying security advisory that spelled out the risks posed to developers, IT professionals and consumers.

To protect Windows users in the meantime, Microsoft partnered the Visual Studio update with one for IE. "MS09-034 blocks all currently-known attacks while those [vulnerable controls and components] are being updated by their developers," said Reavey.

The additions to IE don't block all vulnerable ActiveX controls, he admitted, but instead check to see whether those controls use specific methods known to trigger the bugs; it then blocks those that do. In places, Microsoft described the protection vaguely, calling it a "new defense-in-depth technology."

Tyler Reguly, a Toronto-based researcher at nCircle Security, said that users were between a rock and a hard place today. "Rolling out the IE patch as soon as possible is the best advice for everyone," said Reguly. "But now that details are out about the ATL vulnerabilities, anyone can dig into the patches for more information. That makes me question whether the third-party applications are at a greater risk now, and for the next couple of weeks, than they were before."

Reavey acknowledged that it's difficult to tell how many developers used the buggy ATL, and thus how many vulnerable pieces of code may be in circulation.

Microsoft is continuing to investigate its own code for uses of the flawed library, Reavey added -- some researchers said earlier this month that both Windows XP and Vista contain critical files harboring the bugs -- and is working with third-party software makers to help them uncover bad code.

The out-of-cycle updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.